Get Started!
Schedule an Appointment

When a Data Breach Becomes a Lawsuit: What Protects You and What Does Not

Most businesses have some security in place. Very few can actually prove it when someone asks. This month's article covers what "reasonable security" means in a legal context and why the documentation matters just as much as the measures themselves.

data_breach_lawsuit

Your business suffers a data breach. Client records are exposed. Now a lawyer representing one of those clients asks a single question: “What security measures did you have in place?” What would your answer be, and could you prove it? That question is no longer theoretical. Businesses of all sizes are facing it from insurers, regulators, and, increasingly, the courts. The standard they apply is not whether your security was perfect but whether it was reasonable and can demonstrate that it was.

What "reasonable security" actually means

Reasonable security is not a fixed checklist; it is a judgement call based on what a business of your size, in your industry, with access to your resources, could and should have done. Factors that get weighed include whether you had antivirus software and a firewall in place, whether staff received any security training, whether software was kept up to date, whether sensitive data was protected with encryption or access controls, and whether you had a documented process for responding to incidents.

The uncomfortable reality is that many small businesses have some of these in place but cannot document any of them. Verbal assurances do not hold up in a dispute. "We always kept things updated" is not evidence.

The documentation problem

When an insurer reviews a breach claim, or when a court assesses liability, the question is not just what you had in place but also what you can prove you had in place. Organizations that work with a Technology Security Partner have a significant advantage here, because a well-run TSP not only implements security measures but also generates a paper trail.

Patch management records show when updates were applied and to which systems. Monitoring logs show that threats were being actively detected. Policy documents show that staff were given clear guidance. Backup records show that recovery procedures existed and were tested. Each of these serves as evidence that security was treated as an ongoing responsibility rather than an afterthought.

Where businesses get caught out

The most common scenario is not one where a business had no security but one where a business had some security and thought it was sufficient but had no formal oversight and no records to show for it: consumer-grade tools installed years ago but never reviewed; software updates applied inconsistently; no written policy, training logs, or incident response plan.

In a dispute, that picture is difficult to defend. The absence of documentation is read as an absence of diligence, and diligence is exactly what the reasonable security standard requires.

A second scenario involves relying on a single person, whether an internal staff member or a sole contractor, who understood the setup but kept no formal records. If that person leaves or is simply unavailable when a dispute arises, there is nothing to refer to. The security may well have been sound, whereas the business has no way to demonstrate it.

What a Technology Security Partner brings to this

Working with an TSP means that security is not just implemented; it is managed, monitored, and recorded. The relationship comes with regular reviews, written documentation, and a clear record of what was in place and when. If a breach does occur, that documentation becomes part of how you respond to it, not something you scramble to produce after the fact.

It also means the security itself is more likely to meet the reasonable standard, because it is built around current best practice rather than a setup that has not been reviewed in three years.

This is worth thinking about before something goes wrong

Reasonable security is not about perfection. It is about proof.

Most businesses think security fails when tools fail. In reality, security fails when you cannot show what you did, when you did it, and why.

Old way, set it up once and assume it is fine. New way, treat security like an ongoing process with records to back it up.

Here is the five minute move.

Ask yourself one question. If something went wrong tomorrow, what documents could you hand to an insurer or attorney today? If the answer is none or not sure, that is the gap.

This is why a Technology Security Partner matters. Not just to install tools, but to create evidence. Logs. Policies. Reviews. A paper trail that shows diligence, not guesses.

Do this before you need it. After the fact is too late.
If you want to know where your security actually stands and what reasonable looks like for your business, Borked PC can help.

👉 New to Borked PC? Start by filling out our quick Right Fit Questionnaire to see if Borked PC could be the right IT and Cybersecurity Partner for you.

📞 Or schedule a free 15 minute call at a time that works for you: Book a call

Prefer to talk now? Give us a call at (610) 599‑6195.

Schedule Appointment